From the Department of Redundancy Department here comes another set of regulatory hilarity that will definitely impact both business and security professionals alike. I give you the GDPR!
The General Data Protection Regulation (GDPR) is very similar to the U.S. NIST, PCI DSS, and HIPAA data security standards. Like U.S. HIPAA or PCI rules, GDPR lays down a foundation of data security and privacy requirements, how consumers can access and transfer their data, fines and penalties and how GDPR applies to EU member states.
GDPR will impact information security products and services globally. Security vendors will have to incorporate GDPR standards into their products and InfoSec professionals will have to be familiar with the various privacy and security rules within GDPR. However EU members have until May 28th 2018 before compliance becomes mandatory.
Information Security Professionals must have more than a passing knowledge of the various rules and regulations that impact the management of the enterprise data in their charge. InfoSec pros must be familiar with local, state, federal and international privacy and security guidelines that govern the confidentiality, integrity and availability of the data they protect. Knowledge of legal and regulatory frameworks is becoming as important a skill as proficiency in the security technologies they use to protect sensitive data.
I’m rather surprised the Certification Industrial Complex hasn’t jumped at the chance to create an overall certification for the mountain of legal and regulatory guidance that governs privacy and security. Maybe having a law degree will be the next prerequisite that HR folks will require for employment. I can see it now, “Corp X req: must have a law degree, CISSP, CRISC, PMP, MBA, 15 years experience. 6 month engagment @$45 per hour.”
Let me know your thoughts in the comments below.